Anyone else have this IP trying to hack your system?


#1

I have found that a specific static IP has been making constant attempts to gain access to multiple clients’ UCM systems. Doing a quick Google of the IP brings up others reporting this same IP specifically trying to gain UCM access. I went ahead and blocked it in Firewall rules for my clients, but thought I would share so others may take caution as well.

IP: 96.254.123.180


#2

this doesn’t happen if:

  • no public ip checks to the UCM
  • create appropriate ACL rules on the Firewall

this doesn’t happen if:

  • no public ip checks to the UCM
  • create appropriate ACL rules on the Firewall

n.b.: these measures are essential for running any voip server regularly


#3

Hi blocking the ip alone will not help you we encountered a situation recently.
refer my post we dealt with it effectivly UCM Weblogin loop
The reason this happened was the 3rd party IT compnay that manages the firewall did not have any specific rules to prevent and attack like this to the UCM . I will use the term router and firewall interchangably

Blocking the one ip is futile has you can see form my post ip address changes in seconds.
you need access to your ucm and settig a up VPN can also be a bit diffcult in terms of equipment and worse if a 3rd party IT compnay manages the network.

so the Question is what do you block and what do you allow and how do you do this to allow yourself and your provider to be able to gain access to your UCM.

This is the only practical logical method I know of and have used if anyone has a better workable solution pleasse share or improve my answer.

You have portforwading set on your edge router to <internal_IP_UCM:8089> you need to get access to this device form your dynamic Ip ( if you gain access always form a fixed ip you can create and even stricter rule ) but I will presume you get a dynamic iP form your isp.

simply block all interantional IP or if you choose all Ip on your edge router depending on what router you use ther may be different ways to do this we use Sophos and or Mikrotiks and its very simple , if you find that difficult you can deny all Ip on the incoming interface ( wan interface) traffic is coming in to you form the wan you blocking inbound connections. and explcitly allow your provider Ip range and all of the possible isp you may use to connect from.

Then ensure your Fail 2 ban on the UCM is correctly set up and tweak the settings in terms of ban duration make sure to enable Asterisk Service or the fail to ban will not work.

Dealing with these kind of stupid things has become a regular exercise and since web servers are made to accessed by legitamite users you cannot run or complicate your admistative tasks, from the over 300 ucms we adminster the fail to ban always worked flawlessly with the increase in these types of siily attacks the above setting I explained on the router /firewall will give you good protection.

hope this helps


#4

Whilst it is often suggested that you should block all public IPs to the UCM, I don’t understand how this will work if you have softphones connecting to the PBX from outside the LAN.

Dan


#5

Hi the softphones will be registered with the sip provider the sip provider Ip will be allowed.

If however you need the softphone to register has a remote extension to the PBX you can then create a rule to allow your providers enitre range even if it is a mobile device.


#7

Hi there!
the same IP 96.254.123.180 is trying to access with admin account tu our Grandstream UCM on a clinical center on Chile.

It Is very strange…


#8

Not this IP, but I did have another one trying. It was only possible because (I think) because of a fault with an outdated firmware version on a router.


#9

there’s nothing strange about it, create the ACL rules on the firewall and you’ll see that no one will reach the UCM remotely anymore (except who you authorize).